When is a back door not a back door?

By Patrick Marshall

Jan 16, 2018

FBI Director Christopher Wray recently called the inability of law enforcement to crack encryption on cellphones and other devices an “urgent public safety issue.” Noting that the bureau was unable to access data from more than half the devices it tried to crack over the fiscal year that ended on Sept. 30 -- specifically, 7,775 devices -- despite have the legal authority to do so, Wray told a cybersecurity conference on Jan. 9 that a solution to the problem is “not so clear cut.”

Wray’s warning echoed that of FBI Director James Comey in 2015, who told Congress that the ability of terrorist groups like ISIS to securely encrypt their communications “leads us to a very, very dark place.” At the same time, Comey called for limiting the use of commercial encryption and possibly requiring encryption software providers to insert “back doors” that would allow law enforcement with court authorization to crack devices.

Comey’s proposals spurred what one observer at the time called “a wall of opposition” from digital security experts and engineers who argued that inserting back doors into software creates vulnerabilities that could be exploited by hackers, including criminals and foreign intelligence services.

Comey’s call for back doors also drew a response from a high-powered national security trio -- Mike McConnell, former director of the National Security Agency and director of national intelligence, Michael Chertoff, former homeland security secretary, and William Lynn, former deputy defense secretary. In a July 2015 op-ed article, the three experts argued that while they recognized the national security value of being able to crack encrypted devices, widespread use of uncrackable encryption by U.S. businesses and government agencies is an even higher priority.

In his recent call for a solution to uncrackable encryption, Wray did not address these concerns directly.

“We need and want the private sector’s help,” Wray said. “I recognize this entails varying degrees of innovation by the industry to ensure lawful access is available. But I just don’t buy the claim that it’s impossible.”

Curiously, while Wray specifically said “we’re not looking for a ‘back door,’” he then implicitly asked for one. “What we’re asking for is the ability to access the device once we’ve obtained a warrant from an independent judge, who has said we have probable cause,” he said.

Wray cited an example of the kind of compromise he's seeking. In 2015 some major banks began using the Symphony chat and messaging platform that promised "guaranteed data deletion." Regulators, fearing that the app could be used to hamper financial investigations, reached an agreement with the banks to "ensure responsible use of Symphony" by retaining copies of communications and storing duplicate copies of encryption keys with independent custodians.

"So the data in Symphony was still secure and encrypted," Wray said, "but also accessible to regulators, so they could do their jobs.

While the FBI is looking for a way forward, Wray called for the private sector’s help. "We need them to respond to lawfully issued court orders, in a way that is consistent with both the rule of law and strong cybersecurity," he said. "We need to have both, and can have both."

The problem remains, say other experts, that if the government can access the data so, too, can hackers.